14 DAY TRIAL // A collaborative team of researchers, present these days at the RSA conference in San Francisco, is about to reveal an attack method that can be used to bypass the security measures offered by OpenSSL, allowing an attacker to recover the cryptographic key that ensures data is transferred in an encrypted form between users and secure webservers.
According to Quantum Day, Dr. Dan Page, a Senior Lecturer in Computer Science in the Department of Computer Science at the University of Bristol, one of the members of the collective, will present the findings and show how their attack works.
By triggering a bug in the software with the aid of cleverly designed messages sent to the webservers, the experts managed to recover part of the cryptographic key. If a large number of messages are used, the entire key could be obtained.
“Our work suggests an underlying problem. With software and hardware playing increasingly significant roles in our day-to-day life, how much can and should we trust them to be correct?,” Dr. Page said.
“The answer, in part at least, is a stronger emphasis on and investment in formal verification and correctness of open source software. Our research highlights the important role this topic will play for software engineers of the future.”
The approach proposed by the team only works on the 0.9.8g version of OpenSSL and only on certain configurations, but if it works it can represent yet another threat to the integrity of the SSL protocol on which so many businesses rely these days.
In the case of the e-commerce websites, whose popularity is constantly growing among Internet users, the exposure of the cryptography key can make the difference between credit card number being safe, or ending up in the hands of a profit-driven hacker.
Fortunately, newer versions of OpenSSL are not susceptible to the attack described by the researchers, fact which once again highlights the necessity for companies to always apply the latest patches provided by vendors, especially if security is involved.